Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LHER000698175.xls

Overview

General Information

Sample name:LHER000698175.xls
Analysis ID:1446721
MD5:4816c91c7315f48b5fbb776d90316a0f
SHA1:1e743a1cfe0d2ec9234f90551274759d59ded6bf
SHA256:bff53c74bf4fb85ebe5ad269a1c8ecf2e0f03b026faa29c34683d21f13c1011e
Tags:xls
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Excel sheet contains many unusual embedded objects
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2956 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2956, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2956, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2956, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: LHER000698175.xlsReversingLabs: Detection: 15%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: global trafficDNS query: name: qr-in.com
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: global trafficHTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=0c77kn3a08eub67r90e059mkpe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBFB6FE9.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=0c77kn3a08eub67r90e059mkpe
Source: global trafficDNS traffic detected: DNS query: qr-in.com
Source: LHER000698175.xls, 65130000.0.drString found in binary or memory: http://qr-in.com/JeYCrvM
Source: LHER000698175.xls, D18F1661.emf.0.dr, ~DFA4A9D609ACFEE7BB.TMP.0.dr, ~DF4899799A00A7B9A1.TMP.0.dr, 65130000.0.dr, 781C84D6.png.0.drString found in binary or memory: http://www.day.com/dam/1.0

System Summary

barindex
Excel sheet contains many unusual embedded objects
Source: LHER000698175.xlsOLE: Microsoft Excel 2007+
Source: ~DF4899799A00A7B9A1.TMP.0.drOLE: Microsoft Excel 2007+
Source: 65130000.0.drOLE: Microsoft Excel 2007+
Source: LHER000698175.xlsOLE indicator, VBA macros: true
Source: ~DF4899799A00A7B9A1.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal52.winXLS@1/10@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\65130000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7445.tmpJump to behavior
Source: LHER000698175.xlsOLE indicator, Workbook stream: true
Source: 65130000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: LHER000698175.xlsReversingLabs: Detection: 15%
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: ~DF4899799A00A7B9A1.TMP.0.drInitial sample: OLE indicators vbamacros = False
Source: LHER000698175.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: LHER000698175.xlsStream path 'MBD000E5130/Package' entropy: 7.95029125714 (max. 8.0)
Source: LHER000698175.xlsStream path 'Workbook' entropy: 7.990006136 (max. 8.0)
Source: ~DF4899799A00A7B9A1.TMP.0.drStream path 'Package' entropy: 7.94164766249 (max. 8.0)
Source: 65130000.0.drStream path 'MBD000E5130/Package' entropy: 7.94164766249 (max. 8.0)
Source: 65130000.0.drStream path 'Workbook' entropy: 7.99694987933 (max. 8.0)

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts3
Exploitation for Client Execution		1
Scripting		Path Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local System2
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable Media12
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LHER000698175.xls16%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.day.com/dam/1.00%URL Reputationsafe
http://qr-in.com/JeYCrvM0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
qr-in.com
188.114.96.3
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://qr-in.com/JeYCrvMfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.day.com/dam/1.0LHER000698175.xls, D18F1661.emf.0.dr, ~DFA4A9D609ACFEE7BB.TMP.0.dr, ~DF4899799A00A7B9A1.TMP.0.dr, 65130000.0.dr, 781C84D6.png.0.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    188.114.96.3
    		qr-in.comEuropean Union
    		13335CLOUDFLARENETUSfalse

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1446721
    Start date and time:2024-05-23 20:32:18 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 15s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:LHER000698175.xls
    Detection:MAL
    Classification:mal52.winXLS@1/10@1/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .xls
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Active ActiveX Object
    • Active ActiveX Object
    • Scroll down
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: LHER000698175.xls

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    188.114.96.3PO 4500025813.xlsGet hashmaliciousUnknownBrowse
    • qr-in.com/RtWEZGi
    Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
    • qr-in.com/NAvSGzZ
    SCB REmittance Advice.docGet hashmaliciousLokibotBrowse
    • rocheholding.top/evie3/five/fre.php
    PI No 20000814C.exeGet hashmaliciousFormBookBrowse
    • www.ilodezu.com/z48v/
    https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atvlasestrellas.com%2Fxb%2F97956%2F%2FYy5tdXNjYXRAYW5kYXJpYS5jb20=Get hashmaliciousHTMLPhisherBrowse
    • tvlasestrellas.com/favicon.ico
    http://enter-mantagalaxies.com/Get hashmaliciousUnknownBrowse
    • enter-mantagalaxies.com/
    56882720_50174358_2024-05-23_203027.xlsGet hashmaliciousUnknownBrowse
    • qr-in.com/GDKZCby
    Enquiry No. 2421005.xla.xlsxGet hashmaliciousUnknownBrowse
    • qr-in.com/atBVKxq
    Enquiry No. 2421005.xla.xlsxGet hashmaliciousUnknownBrowse
    • qr-in.com/atBVKxq
    20240403_Oferta factory..xlsGet hashmaliciousUnknownBrowse
    • bitly.cx/owdri

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    qr-in.comPO 4500025813.xlsGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
    • 188.114.96.3
    PO 4500025813.xlsGet hashmaliciousUnknownBrowse
    • 188.114.97.3
    56882720_50174358_2024-05-23_203027.xlsGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    Enquiry No. 2421005.xla.xlsxGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    56882720_50174358_2024-05-23_203027.xlsGet hashmaliciousUnknownBrowse
    • 188.114.97.3
    Enquiry No. 2421005.xla.xlsxGet hashmaliciousUnknownBrowse
    • 188.114.97.3
    56882720_50174358_2024-05-23_203027.xlsGet hashmaliciousUnknownBrowse
    • 188.114.97.3
    Enquiry No. 2421005.xla.xlsxGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    ORDIN.xlsGet hashmaliciousUnknownBrowse
    • 188.114.97.3

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    CLOUDFLARENETUSPO 4500025813.xlsGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
    • 104.26.12.205
    Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
    • 188.114.96.3
    Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
    • 172.67.74.152
    Offer Document 24.lnkGet hashmaliciousFormBookBrowse
    • 23.227.38.74
    PO 4500025813.xlsGet hashmaliciousUnknownBrowse
    • 188.114.97.3
    https://freexxxth.linkGet hashmaliciousUnknownBrowse
    • 104.21.25.77
    https://freexxxth.linkGet hashmaliciousUnknownBrowse
    • 172.67.223.248
    SCB REmittance Advice.docGet hashmaliciousLokibotBrowse
    • 188.114.97.9
    V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
    • 172.67.217.192

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\781C84D6.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 1008 x 529, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):116917
    Entropy (8bit):7.962967514652866
    Encrypted:false
    SSDEEP:3072:K34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyj:k4UcLe0JOqPQZR8MDdATCR3tSw
    MD5:460EFCF478D05AFB04311BA4833B41FB
    SHA1:35A00E81ED5AA915810702E9BA42E0D6E9E24BA1
    SHA-256:ABBF9B20F57F85EDAD5D5B5848335775428B47D1A48C0772A72D7A6C136D9C51
    SHA-512:C5C6414B88579ADF217DE22C52C1CCB244EB532DED4B2533136D54D1D0F2EC474C36E2BC163FB9BCE05079AD06313B559C9746F73BC82FF42933EB1A3B94DD07
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:.PNG........IHDR..............0V.....sRGB.........gAMA......a.....pHYs..........+......iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c137 1.000000, 0000/00/00-00:00:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:ns1="http://www.day.com/dam/1.0". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". ns1:Physicalheightininches="-1.0". ns1:Physicalwidthininches="-1.0". ns1:Fileformat="PNG". ns1:Progressive="no". ns1:extracted="2018-06-11T14:21:13.228-07:00". ns1:Bitsperpixel="8". ns1:MIMEtype="image/png". ns1:Physicalwidthindpi="-1". ns1:Physicalheightindpi="-1". ns1:Numberofimages="1". ns1:Numberoftextualcomments="0". ns1:sha1="a5883b71b35060c98e8449851de4fae668c6ea9d". ns1:size="54990". tiff:ImageLength="727". tiff:ImageWidth="1020". dc:format="

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBFB6FE9.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):632816
    Entropy (8bit):1.898425620548482
    Encrypted:false
    SSDEEP:1536:w55mJqmEIyb3eMhu5KBriO6XDn/fKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqlGnqm:ieZu50yknG/qc+f
    MD5:97406AC149008BFED7A4F6665966EBC7
    SHA1:C75509B38208ACB160AA98E9F3047747967988FB
    SHA-256:FB4718E0788BEBCD14AA2DBE7AD828AF2611B38954357D2E02C0B3D14366E8C1
    SHA-512:9C7CBD765F177DB1EF3AF72C5CD668C0C0BE94CC92B0E3BA4038707596E48D9671548E911E5D316DA37C6E1D33FC8C92739F011C5DAF77AC486A3C810F71028D
    Malicious:false
    Reputation:low
    Preview:....l................................5.. EMF.......Z.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D18F1661.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):1045840
    Entropy (8bit):3.2834072772788865
    Encrypted:false
    SSDEEP:6144:tFOSyV4UcLe0JOqDQZR8MDdATCR3tSpjqcw:jUP/qDQZR8MxAm/SNnw
    MD5:22C8FA42D4B22091373F1D1F2EE1912E
    SHA1:F6470431DA354BEAD500EF67FD753D9B4E6302A1
    SHA-256:AEFC1CAC26B122089BBB1ECE6F4F6D0216DD4E91CC1DD293E3CE25C921AD586F
    SHA-512:766199B537C0AA14214ABEC920435A40A2E7899DC0BAB66D00F738749BCC8A51287B6958A2CA5A065E94240739703D1FF1F515C7326013B7F0DDFF7604C63075
    Malicious:false
    Reputation:low
    Preview:....l...........................{....9.. EMF....P...............................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................o..."...........!...................................................o..."...........!...................................................o..."...........!...................................................o..."...........!...................................................o...'.......................%...........................................................L...d...............>...............?...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............>...............

    C:\Users\user\AppData\Local\Temp\~DF4899799A00A7B9A1.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):142848
    Entropy (8bit):7.881402049448747
    Encrypted:false
    SSDEEP:3072:s4D26XXJR734UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyb:s4D26JRz4UcLe0JOqPQZR8MDdATCR3tS
    MD5:4E2087E292D76F9FE96FF7091EC18822
    SHA1:BB0BB72A068D5EA2F5041F2C1EBE7170A23A33C1
    SHA-256:EEEB4BD7B60EE6237610DF15BCF81F47202B6B4D7A71D2AC2EA85AC6CE6893B5
    SHA-512:F8E77A0B11E9AE0FE8EB43324D66C2DD81C32F660BB51CBC8FCC19ED1538C01B5A42D1EE5667947CE37AF3780B28452B8A168B58098D9AC7539DBDB995FF7F6D
    Malicious:false
    Reputation:low
    Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

    C:\Users\user\AppData\Local\Temp\~DF77C25078B6368CC1.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Reputation:high, very likely benign file
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF817BE1803F1E8777.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Reputation:high, very likely benign file
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DFA4A9D609ACFEE7BB.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):155648
    Entropy (8bit):7.483763112494088
    Encrypted:false
    SSDEEP:3072:u4D26XXJR734UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyb:u4D26JRz4UcLe0JOqPQZR8MDdATCR3tS
    MD5:0990B81F8A106375BE998CFC959804BC
    SHA1:2634913B165E3DBCFEBAF0746594E6525BAA027A
    SHA-256:3DDD23D99A920D6E2A8097741300860C5A5BD793129712433CCE7882D7F4342A
    SHA-512:2F9851870F730DAD735718A9BB0B9E6435BD29BA4B0092642DC62EFFDB4F5C9A85E6243EC973A1C1660B86999DE47CE9043D18C4C0C24AB11851D58613A48652
    Malicious:false
    Reputation:low
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Desktop\65130000

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:33:48 2024, Security: 1
    Category:dropped
    Size (bytes):343552
    Entropy (8bit):7.949543636520699
    Encrypted:false
    SSDEEP:6144:J4D26JRz4UcLe0JOqPQZR8MDdATCR3tSCEVVuqoB7SRF21qaLD8oQT6HoDgfSxq2:J4K4kUP/qPQZR8MxAm/SC5v7SRF21ioA
    MD5:C12E70E45ED0D495D712BC9C6F662261
    SHA1:EE40B6FBC9EDBFED600FB800AEB8C0DFE94A5596
    SHA-256:D43B37353FAFFB67EA4334C04D06B4681BDABF116CCD1FCCEE0A950F5342A1C8
    SHA-512:959D29F553CE83ECAE15D79CDC8235ECFC72762FC217D6A0BF8846E069D3A0463D29D732C7ABD9A9DF26E46673C8DD98B0D9EBDB01CF73810509A73F4EBCD076
    Malicious:false
    Reputation:low
    Preview:......................>...............................................................v.......x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

    C:\Users\user\Desktop\65130000:Zone.Identifier

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Users\user\Desktop\LHER000698175.xls (copy)

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:33:48 2024, Security: 1
    Category:dropped
    Size (bytes):343552
    Entropy (8bit):7.949543636520699
    Encrypted:false
    SSDEEP:6144:J4D26JRz4UcLe0JOqPQZR8MDdATCR3tSCEVVuqoB7SRF21qaLD8oQT6HoDgfSxq2:J4K4kUP/qPQZR8MxAm/SC5v7SRF21ioA
    MD5:C12E70E45ED0D495D712BC9C6F662261
    SHA1:EE40B6FBC9EDBFED600FB800AEB8C0DFE94A5596
    SHA-256:D43B37353FAFFB67EA4334C04D06B4681BDABF116CCD1FCCEE0A950F5342A1C8
    SHA-512:959D29F553CE83ECAE15D79CDC8235ECFC72762FC217D6A0BF8846E069D3A0463D29D732C7ABD9A9DF26E46673C8DD98B0D9EBDB01CF73810509A73F4EBCD076
    Malicious:false
    Preview:......................>...............................................................v.......x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 09:23:56 2024, Security: 1
    Entropy (8bit):7.859841012488562
    TrID:
    • Microsoft Excel sheet (30009/1) 47.99%
    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
    File name:LHER000698175.xls
    File size:249'344 bytes
    MD5:4816c91c7315f48b5fbb776d90316a0f
    SHA1:1e743a1cfe0d2ec9234f90551274759d59ded6bf
    SHA256:bff53c74bf4fb85ebe5ad269a1c8ecf2e0f03b026faa29c34683d21f13c1011e
    SHA512:f1bba49b16272c2536a7ec6a0c6677901e4e0519746d6c832247f4719452b2a5e9c97582fee1d2a097d986b69a4f15ce9b1c9259cbf76f9d560ef70934aaf8a8
    SSDEEP:6144:Ae4UcLe0JOqPQZR8MDdATCR3tSeT0W8rfzvwomokd2:OUP/qPQZR8MxAm/SBW8Lmrd
    TLSH:C6340235BD34D187D1A148B93CDE89D3AF3ABD51AE51B28F3224735EBA72095CC1228D
    File Content Preview:........................>...................................(...........................j......................................................................................................................................................................

    File Icon

    Icon Hash:276ea3a6a6b7bfbf

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "LHER000698175.xls"

    Indicators
    Has Summary Info:
    Application Name:Microsoft Excel
    Encrypted Document:True
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:True
    Summary
    Code Page:1252
    Author:
    Last Saved By:
    Create Time:2006-09-16 00:00:00
    Last Saved Time:2024-05-23 08:23:56
    Creating Application:Microsoft Excel
    Security:1
    Document Summary
    Document Code Page:1252
    Thumbnail Scaling Desired:False
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:786432

    Streams with VBA

    VBA File Name: Sheet1.cls, Stream Size: 977
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
    VBA File Name:Sheet1.cls
    Stream Size:977
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 r . O . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 34 72 02 4f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    VBA File Name: Sheet2.cls, Stream Size: 977
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
    VBA File Name:Sheet2.cls
    Stream Size:977
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 r I d . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 34 72 49 64 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    VBA File Name: Sheet3.cls, Stream Size: 977
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
    VBA File Name:Sheet3.cls
    Stream Size:977
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 r m . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 34 72 6d bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    VBA File Name: ThisWorkbook.cls, Stream Size: 985
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
    VBA File Name:ThisWorkbook.cls
    Stream Size:985
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 r a k . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 .
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 34 72 61 6b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    Streams

    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
    General
    Stream Path:\x1CompObj
    CLSID:
    File Type:data
    Stream Size:114
    Entropy:4.25248375192737
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
    General
    Stream Path:\x5DocumentSummaryInformation
    CLSID:
    File Type:data
    Stream Size:244
    Entropy:2.889430592781307
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
    General
    Stream Path:\x5SummaryInformation
    CLSID:
    File Type:data
    Stream Size:200
    Entropy:3.2503503175049815
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . v . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
    Stream Path: MBD000E5130/\x1CompObj, File Type: data, Stream Size: 99
    General
    Stream Path:MBD000E5130/\x1CompObj
    CLSID:
    File Type:data
    Stream Size:99
    Entropy:3.631242196770981
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: MBD000E5130/Package, File Type: Microsoft Excel 2007+, Stream Size: 148626
    General
    Stream Path:MBD000E5130/Package
    CLSID:
    File Type:Microsoft Excel 2007+
    Stream Size:148626
    Entropy:7.950291257143483
    Base64 Encoded:True
    Data ASCII:P K . . . . . . . . . . ! . - N . . . C . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 2d ca 4e f7 b1 01 00 00 43 06 00 00 13 00 cb 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c7 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: MBD000E5131/\x1Ole, File Type: data, Stream Size: 342
    General
    Stream Path:MBD000E5131/\x1Ole
    CLSID:
    File Type:data
    Stream Size:342
    Entropy:4.964184560090248
    Base64 Encoded:False
    Data ASCII:. . . . ( E O . . . . . . . . . . . . j . . . y . . . K . f . . . h . t . t . p . : . / . / . q . r . - . i . n . . . c . o . m . / . J . e . Y . C . r . v . M . . . $ N W I k . . r 1 B } * . . . K b % j , w . @ . . . . . . . . . . . . . . . . . . . Y . T . T . K . E . D . 0 . z . F . R . l . A . v . h . W . c . d . X . F . I . N . i . m . q . P . L . c . I . L . o . l . G . p . 5 . B . y . Y . g . q . L . b . Z . E . 4 . k . l . t . N . 9 . V . G . 2 . w . l . 9 . 8 . z . e . z . G . i . 0 . Y . G . c . N
    Data Raw:01 00 00 02 85 28 e7 45 bf be d0 4f 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 66 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 71 00 72 00 2d 00 69 00 6e 00 2e 00 63 00 6f 00 6d 00 2f 00 4a 00 65 00 59 00 43 00 72 00 76 00 4d 00 00 00 9e cd 24 f3 aa af 4e 8d 57 8d 49 6b 16 ce d4 b4 85 b1 72 87 9c 82 a8 31 fc e4 42 7d 2a 10
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 84765
    General
    Stream Path:Workbook
    CLSID:
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:84765
    Entropy:7.990006135998404
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . Q ' @ e . > 5 u L _ Z _ n 1 . G . Z . . . . . . . . . . . \\ . p . . | m . . - . R L % > . X . N k 5 . c U E U . . I p M f : . H . X . n ( ) ; B T * . . . ! ( ' V ' e . D H ( ~ . c G 8 B . . . a . . . . . . = . . . . k @ . . . 2 , ) " " . . . , l . . . . . . . . . . . . . . . . . . . . @ = . . . ! . . r Z ` X Y v U @ . . . . . . " . . . . . . . . . . . W \\ . . . n 1 . . . 4 6 . H _ G % . . V e C . 6 X e J 1 . . . Y + M 6 , . C H . ; b R l . p - + 1
    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 b7 13 51 27 40 b5 ae a7 e2 65 ae b7 8f b7 20 e0 a1 82 3e f2 ff fd ec 92 35 d7 75 4c fa 5f b8 aa 5a 5f 6e 92 a0 31 8e ac d4 1d f7 47 9d b6 04 5a e1 00 02 00 b0 04 c1 00 02 00 16 f8 e2 00 00 00 5c 00 70 00 84 02 90 96 7c be d5 6d ef c1 1e f8 08 82 c5 2d 18 52 4c 25 ae 3e 20 96 00 58 c9 dc e9 d9
    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 535
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECT
    CLSID:
    File Type:ASCII text, with CRLF line terminators
    Stream Size:535
    Entropy:5.282250905274952
    Base64 Encoded:True
    Data ASCII:I D = " { 4 0 B C E B F B - 7 4 7 E - 4 2 B 7 - 8 E 9 2 - 9 5 C A 1 C 0 5 6 5 2 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 F 8 D 7 E A E 9 E A E 6 A B 2 6
    Data Raw:49 44 3d 22 7b 34 30 42 43 45 42 46 42 2d 37 34 37 45 2d 34 32 42 37 2d 38 45 39 32 2d 39 35 43 41 31 43 30 35 36 35 32 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
    CLSID:
    File Type:data
    Stream Size:104
    Entropy:3.0488640812019017
    Base64 Encoded:False
    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
    CLSID:
    File Type:data
    Stream Size:2644
    Entropy:3.9832352617637623
    Base64 Encoded:False
    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/dir
    CLSID:
    File Type:data
    Stream Size:553
    Entropy:6.334165898207997
    Base64 Encoded:True
    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . ^ h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 19 a2 5e 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    May 23, 2024 20:33:29.950551987 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:29.955571890 CEST8049163188.114.96.3192.168.2.22
    May 23, 2024 20:33:29.955708981 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:29.955921888 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:30.019994020 CEST8049163188.114.96.3192.168.2.22
    May 23, 2024 20:33:30.991483927 CEST8049163188.114.96.3192.168.2.22
    May 23, 2024 20:33:30.991559029 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:30.992074013 CEST8049163188.114.96.3192.168.2.22
    May 23, 2024 20:33:30.992115974 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:30.995203972 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:30.995227098 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:30.996345997 CEST8049163188.114.96.3192.168.2.22
    May 23, 2024 20:33:30.996392965 CEST4916380192.168.2.22188.114.96.3
    May 23, 2024 20:33:50.228271008 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:50.283509970 CEST8049164188.114.96.3192.168.2.22
    May 23, 2024 20:33:50.286550999 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:50.292990923 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:50.344059944 CEST8049164188.114.96.3192.168.2.22
    May 23, 2024 20:33:51.178670883 CEST8049164188.114.96.3192.168.2.22
    May 23, 2024 20:33:51.178842068 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:51.179738998 CEST8049164188.114.96.3192.168.2.22
    May 23, 2024 20:33:51.182507038 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:51.183387041 CEST8049164188.114.96.3192.168.2.22
    May 23, 2024 20:33:51.183521032 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:51.183521986 CEST4916480192.168.2.22188.114.96.3
    May 23, 2024 20:33:51.184540987 CEST4916480192.168.2.22188.114.96.3

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    May 23, 2024 20:33:29.931143999 CEST5456253192.168.2.228.8.8.8
    May 23, 2024 20:33:29.943341017 CEST53545628.8.8.8192.168.2.22

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    May 23, 2024 20:33:29.931143999 CEST192.168.2.228.8.8.80x2e86Standard query (0)qr-in.comA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    May 23, 2024 20:33:29.943341017 CEST8.8.8.8192.168.2.220x2e86No error (0)qr-in.com188.114.96.3A (IP address)IN (0x0001)false
    May 23, 2024 20:33:29.943341017 CEST8.8.8.8192.168.2.220x2e86No error (0)qr-in.com188.114.97.3A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • qr-in.com

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.2249163188.114.96.3802956C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampBytes transferredDirectionData
    May 23, 2024 20:33:29.955921888 CEST323OUTGET /JeYCrvM HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: qr-in.com
    Connection: Keep-Alive
    May 23, 2024 20:33:30.991483927 CEST1236INHTTP/1.1 500 Internal Server Error
    Date: Thu, 23 May 2024 18:33:30 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=0c77kn3a08eub67r90e059mkpe; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Robots-Tag: noindex
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lkR4f%2BlGkmTKSQfXCvEtBB27MoQz9Vnx2I74h98eGGjjQUzCY4SkNd5CijRF7AWu1Ej364T1ZwLkrBOkwhTaraQ2NOUJmY5Zk01q%2BvYRtjwdJ8heaEUMlKk5q6Y%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8887227d88100c8e-EWR
    alt-svc: h3=":443"; ma=86400
    Data Raw: 37 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 09 09 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 09 09 09 09 3c 68 65 61 64 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 09 09 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 30 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 53 6f 75 72 63 65 2b 43 6f 64 65 2b 50 72 6f 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 [TRUNCATED]
    Data Ascii: 7d0<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>500</title> <link href="https://fonts.googleapis.com/css?family=Source+Code+Pro&display=swap" rel="stylesheet"> <style type="text/css">html{font-family:sans-serif;line-height:1.15;-ms-text-size-adjust:100%;-we
    May 23, 2024 20:33:30.992074013 CEST1236INData Raw: 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 7d 62 6f 64 79 2c 68 74 6d 6c 7b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75
    Data Ascii: bkit-text-size-adjust:100%}body{margin:0}body,html{width:100%;height:100%;background-color:#fff}body{color:#080a20;text-align:center;padding:0;min-height:100%;display:table;font-family: 'Source Code Pro', monospace;}h1{font-family:inherit;font
    May 23, 2024 20:33:30.996345997 CEST319INData Raw: 3a 3c 62 72 3e 47 65 6d 45 72 72 6f 72 3a 3a 74 65 6d 70 6c 61 74 65 28 29 3c 2f 6c 69 3e 3c 6c 69 3e 23 31 20 2f 68 6f 6d 65 2f 66 6f 72 67 65 2f 71 72 2d 69 6e 2e 63 6f 6d 2f 63 6f 72 65 2f 47 65 6d 2e 63 6c 61 73 73 2e 70 68 70 28 32 36 37 29
    Data Ascii: :<br>GemError::template()</li><li>#1 /home/forge/qr-in.com/core/Gem.class.php(267):<br>GemError::trigger()</li><li>#2 /home/forge/qr-in.com/core/Gem.class.php(160):<br>Gem::Dispatch()</li><li>#3 /home/forge/qr-in.com/public/index.php(23):<br>G


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.2249164188.114.96.3802956C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampBytes transferredDirectionData
    May 23, 2024 20:33:50.292990923 CEST369OUTGET /JeYCrvM HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: qr-in.com
    Connection: Keep-Alive
    Cookie: PHPSESSID=0c77kn3a08eub67r90e059mkpe
    May 23, 2024 20:33:51.178670883 CEST1236INHTTP/1.1 500 Internal Server Error
    Date: Thu, 23 May 2024 18:33:51 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Robots-Tag: noindex
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m3MroDcy09uUTiumdawwqnyyrrOt74malcc3l%2B8FRzm%2F4uFOvZRUhBGHBXCb7TzOa9%2FH5%2FnmsAoaDO3YX0BxY5%2BJkW0Ov8ikpay44ZfkZ6dML77BLC0kb%2FiMRnI%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 888722fc0f481889-EWR
    alt-svc: h3=":443"; ma=86400
    Data Raw: 37 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 09 09 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 09 09 09 09 3c 68 65 61 64 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 09 09 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 30 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 53 6f 75 72 63 65 2b 43 6f 64 65 2b 50 72 6f 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 [TRUNCATED]
    Data Ascii: 7d0<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>500</title> <link href="https://fonts.googleapis.com/css?family=Source+Code+Pro&display=swap" rel="stylesheet"> <style type="text/css">html{font-family:sans-serif;line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}body,html
    May 23, 2024 20:33:51.179738998 CEST1236INData Raw: 7b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 30 38 30 61 32 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72
    Data Ascii: {width:100%;height:100%;background-color:#fff}body{color:#080a20;text-align:center;padding:0;min-height:100%;display:table;font-family: 'Source Code Pro', monospace;}h1{font-family:inherit;font-weight:700;line-height:1.1;color:inherit;font-siz
    May 23, 2024 20:33:51.183387041 CEST269INData Raw: 72 2d 69 6e 2e 63 6f 6d 2f 63 6f 72 65 2f 47 65 6d 2e 63 6c 61 73 73 2e 70 68 70 28 32 36 37 29 3a 3c 62 72 3e 47 65 6d 45 72 72 6f 72 3a 3a 74 72 69 67 67 65 72 28 29 3c 2f 6c 69 3e 3c 6c 69 3e 23 32 20 2f 68 6f 6d 65 2f 66 6f 72 67 65 2f 71 72
    Data Ascii: r-in.com/core/Gem.class.php(267):<br>GemError::trigger()</li><li>#2 /home/forge/qr-in.com/core/Gem.class.php(160):<br>Gem::Dispatch()</li><li>#3 /home/forge/qr-in.com/public/index.php(23):<br>Gem::Bootstrap()</li><li>#4 {main}</li></ul></div><


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:14:33:05
    Start date:23/05/2024
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Imagebase:0x13f4a0000
    File size:28'253'536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    Code Analysis

    Call Graph

    • Entrypoint
    • Decryption Function
    • Executed
    • Not Executed
    • Show Help
    callgraph 1 Error: Graph is empty

    Module: Sheet1

    Declaration
    LineContent
    1

    Attribute VB_Name = "Sheet1"

    2

    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Module: Sheet2

    Declaration
    LineContent
    1

    Attribute VB_Name = "Sheet2"

    2

    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Module: Sheet3

    Declaration
    LineContent
    1

    Attribute VB_Name = "Sheet3"

    2

    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Module: ThisWorkbook

    Declaration
    LineContent
    1

    Attribute VB_Name = "ThisWorkbook"

    2

    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Reset < >